ossec.conf: Granular Email options

Overview

Supported types

Global options are available in the the following installation types:

  • server
  • local

Notes

Global email configuration is necessary to use the granular email options.

Location

All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

<ossec_config>
    <email_alerts>
        <!--
        Email_alerts options here
        -->
    </email_alerts>
</ossec_config>

Options

Examples

Example email alerts configurations:

Global Configuration:

<global>
  <email_notification>yes</email_notification>
  <email_to>admin@example.com</email_to>
  <smtp_server>127.0.0.1</smtp_server>
  <email_from>ossecm@example.com</email_from>
</global>

Global Configuration with a larger maximum emails per hour:

<global>
  <email_notification>yes</email_notification>
  <email_to>admin@example.com</email_to>
  <smtp_server>127.0.0.1</smtp_server>
  <email_from>ossecm@example.com</email_from>
  <email_maxperhour>100</email_maxperhour>
</global>

Granular Email alert: Level 12 and above:

<email_alerts>
  <email_to>other_admin@example.com</email_to>
  <level>12</level>
</email_alerts>

Syscheck alerts to syscheck admin address:

<email_alerts>
  <email_to>syscheck-admin@example.com</email_to>
  <group>syscheck</group>
</email_alerts>

Level 15 alerts from agent007 without delay or grouping:

<email_alerts>
  <email_to>bond@example.com</email_to>
  <event_location>agent007</event_location>
  <level>15</level>
  <do_not_delay />
  <do_not_group />
</email_alerts>